GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-04-09 13:25:52 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD3200BEKT-60F3T1 rev.12.01A12 298,09GB Running: rdl5h744.exe; Driver: C:\DOCUME~1\User\USTAWI~1\Temp\kxroykow.sys ---- System - GMER 2.2 ---- SSDT \??\C:\WINDOWS\system32\drivers\HookCentre.sys ZwDeleteKey [0x9CED727C] SSDT \??\C:\WINDOWS\system32\drivers\HookCentre.sys ZwDeleteValueKey [0x9CED72BC] SSDT \??\C:\WINDOWS\system32\drivers\HookCentre.sys ZwOpenProcess [0x9CED3E0A] SSDT \??\C:\WINDOWS\system32\drivers\HookCentre.sys ZwSetValueKey [0x9CED7220] SSDT \WINDOWS\system32\ntkrnlpa.exe ZwCreateKey [0x804D7FEC] SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D7FEC] ZwCreateKey [0x804D7FEC] SSDT \WINDOWS\system32\ntkrnlpa.exe ZwOpenKey [0x804D7FF1] SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D7FF1] ZwOpenKey [0x804D7FF1] INT 0x03 \WINDOWS\system32\ntkrnlpa.exe[unknown section] 804D7FF6 INT 0x06 \??\C:\WINDOWS\system32\drivers\Haspnt.sys 9981A16D INT 0x0E \??\C:\WINDOWS\system32\drivers\Haspnt.sys 99819FC2 ---- Kernel code sections - GMER 2.2 ---- .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xA990C000, 0x236DA7, 0xE8000020] .text C:\WINDOWS\system32\DRIVERS\aksfridge.sys section is writeable [0x99716000, 0x48011, 0xE0000020] .init C:\WINDOWS\system32\DRIVERS\aksfridge.sys entry point in ".init" section [0x9976B224] .init C:\WINDOWS\system32\DRIVERS\aksfridge.sys unknown last code section [0x9976B000, 0x4000, 0xE20000E0] .text C:\WINDOWS\system32\drivers\hardlock.sys section is writeable [0x9933D400, 0x6E1B2, 0xE8000020] .protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0x993C7220] C:\WINDOWS\system32\drivers\hardlock.sys entry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0x993C7220] .protect˙˙˙˙hardlockunknown last code section [0x993C7000, 0x50EA, 0xE0000020] C:\WINDOWS\system32\drivers\hardlock.sys unknown last code section [0x993C7000, 0x50EA, 0xE0000020] ---- User code sections - GMER 2.2 ---- .text C:\WINDOWS\Explorer.EXE[1428] SHELL32.dll!StrStrW 7C9CEF18 8 Bytes [80, BB, 60, 19, A0, BB, 60, ...] ---- Devices - GMER 2.2 ---- Device \Driver\Tcpip \Device\Ip GDTdiIcpt.sys AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 wdf01000.sys AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 wdf01000.sys Device \Driver\Tcpip \Device\Tcp GDTdiIcpt.sys Device \Driver\Tcpip \Device\Udp GDTdiIcpt.sys Device \Driver\Disk \Device\Harddisk0\DR0 aksfridge.sys Device \Driver\Tcpip \Device\RawIp GDTdiIcpt.sys Device \Driver\Tcpip \Device\IPMULTICAST GDTdiIcpt.sys AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys ---- Registry - GMER 2.2 ---- Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update@ScheduledInstallDate 2016-04-09 10:00:00 ---- EOF - GMER 2.2 ----